VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 19, 2022· Updated Aug 3, 2024

Out-of-bounds Read in vim/vim

CVE-2022-2126

Description

Out-of-bounds read in Vim's spell suggestion functionality prior to version 8.2.5123, potentially leading to arbitrary code execution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Out-of-bounds read in Vim's spell suggestion functionality prior to version 8.2.5123, potentially leading to arbitrary code execution.

Vulnerability

An out-of-bounds read vulnerability exists in Vim's spell suggestion functionality, specifically in the suggest_trie_walk function within src/spell.c. In versions prior to patch 8.2.5123, the code could decrement an index below zero when processing certain words with the z= command, leading to an out-of-bounds read. The issue is triggered when spell checking is enabled and the z= command is used on a word with certain characteristics.

Exploitation

An attacker can exploit this vulnerability by crafting a malicious text file or input that, when processed by Vim with spell checking enabled (e.g., using the z= command), causes the out-of-bounds read. No authentication is required, as the attacker only needs to convince the victim to open the crafted file or input in Vim.

Impact

Successful exploitation could lead to arbitrary code execution in the context of the Vim process, potentially compromising the confidentiality, integrity, and availability of the system. The impact is limited by the crash or potential memory corruption caused by the out-of-bounds read.

Mitigation

The vulnerability is fixed in Vim version 8.2.5123, available from the official GitHub repository [4]. Users should update their Vim installation to a patched version. No workaround is available other than avoiding untrusted input with spell checking enabled.

References
  1. patch 8.2.5123: using invalid index when looking for spell suggestions · vim/vim@156d391

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

39

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing bounds check before decrementing an index allows underflow below zero, causing an out-of-bounds read."

Attack vector

An attacker can trigger an out-of-bounds read by providing crafted input that causes Vim's spell suggestion mechanism to enter the `DIFF_INSERT` branch in `suggest_trie_walk` when `sp->ts_fidx` is already zero [ref_id=1]. The patch adds a guard (`sp->ts_fidx > 0`) before the decrement, indicating that without this check the index can underflow below zero, leading to an out-of-bounds memory read [ref_id=1].

Affected code

The vulnerability resides in `src/spell.c` in the `suggest_trie_walk` function. The faulty code path is at line 1976-1980 of the original file, where `sp->ts_fidx` is decremented without first checking that it is greater than zero [ref_id=1].

What the fix does

The patch adds a condition `&& sp->ts_fidx > 0` to the `else if (sp->ts_isdiff == DIFF_INSERT)` branch in `suggest_trie_walk` [ref_id=1]. This prevents the decrement of `sp->ts_fidx` when it is already zero, avoiding an underflow that would cause an out-of-bounds read. A new test function `Test_z_equal_on_single_character()` was also added to verify the fix [ref_id=1].

Preconditions

  • inputThe user must open a crafted file or input that triggers Vim's spell suggestion feature (e.g., via z= command)
  • configThe spell suggestion code path must reach the DIFF_INSERT branch when ts_fidx is zero

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

14

News mentions

0

No linked articles in our index yet.